- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
I am on a verge of loosing my cool after spending half a day on a seemingly trivial task of trying to create an exception for the Threat Prevention policy.
The goal is to allow my client's PCs to receive the Phishing training communication from the KnowBe4.
The vendor has three IPs but each campaign generates new resources.
Every time client tries to go to the spoofed site, i.e. "gmail.net-login.com", the gateway promptly bags it with:
Time: 2019-04-30T19:18:48Z
Interface Direction: inbound
Interface Name: eth3
Id: c0a8071f-0100-00c0-5cc8-9f9800000001
Sequencenum: 1
Threat Prevention Policy: Clean_Slate
Threat Prevention Policy Date:2019-04-30T19:17:59Z
Source: 10.101.30.101
Source Port: 50859
Destination Country: Israel
Destination: 62.0.58.94
Destination Port: 80
IP Protocol: 6
Session Identification Number:0x5cc89f98,0x1,0x1f07a8c0,0xc0000001
Protection Name: Phishing_website.mzle
Description: Connection to DNS trap bogus IP. See sk74060 for more information.
Confidence Level: High
Severity: High
Malware Action: Malicious network activity
Protection Type: DNS Trap
Threat Prevention Rule Id: FE9921CA-B861-425E-B0F2-19A1D217EFAD
Protection ID: 0018B6567
Log ID: 2
Scope: 10.101.30.101
Source User Name: ADuser2 Two (aduser2@higherintelligence.com)
Source Machine Name: win10net30@higherintelligence.com
User: ADuser2 Two (aduser2@higherintelligence.com)
Action: Prevent
Type: Log
Policy Name: Clean_Slate
Policy Management: SMS8030EA
Db Tag: {BAC69145-F44A-4148-9603-7CEBB47B7A42}
Policy Date: 2019-04-30T14:32:16Z
Blade: Anti-Virus
Origin: GW8030EA
Service: TCP/80
Product Family: Threat
Resource: gmail.net-login.com
Marker: @A@@B@1556596801@C@31302
Log Server Origin: 192.168.7.30
Orig Log Server Ip: 192.168.7.30
Index Time: 2019-04-30T19:19:54Z
Lastupdatetime: 1556651989000
Lastupdateseqnum: 1
Rounded Sent Bytes: 0
Rounded Bytes: 0
Stored: true
Rounded Received Bytes: 0
Suppressed Logs: 21
Sent Bytes: 0
Received Bytes: 0
Interface: eth3
Description: 10.101.30.101 performed malicious network activity that was prevented with DNS Trap
Threat Profile: Go to profile
Bytes (sent\received): 0 B \ 0 B
Trying to exempt the traffic by negating the destination group in the TP rules, creating manual exemptions with either "Detect" or "Inactive", doing same by creating the exemptions from the logs, does not change the behavior. DNS trap is activated every time.
Searching for the Protection Name: "Phishing_website.mzle" in either "Protections" or IPS Protections, does not help. The thing is not there.
Even creating a Categorization Exception:
As unfeasible as it is for this particular task, still does not work.
HELP!!!
You would not believe how many different combinations of rules, policies, profiles and exceptions I have tried 🙂
Presently, this is the policy with 2 profiles, one of them has no AV blade, as that's the one that seem to be triggering this protection, but I have tried it with single profiles with negated cells as well:
The exceptions are now in "Detect" mode, but I have tried it with "Inactive" as well:
Not to mention that the actual spoofed domain resolving to those IPs is in the "Categorization Exemption".
All of it is still does not work.
Even if it would, it is not really a long term solution for Spoofing training vendors: they spin-up instances on AWS behind dynamically allocated IPs and newly crafted domains every time.
That being said, the exemptions must work and they do not.
P.S. I think that the best solution for all involved will be for these companies to feed their exercise domains to the Threat Cloud for whitelisting and differentiated categorization.
This way, they will not be bagged by the protections and reduce manual labor for admins fighting with this issue.
Hi Vladimir
Categorization Exemption is for URLF, not AV/AB ..
After setting up all those exception experiments - what logs do you see in SmartLog? Prevent logs for what?
Maybe the issue is that you didn't exempt the internal DNS server from inspection? is there one? if so - IT asks for gmail.net-login.com's IP address and gets the bogus address...
@TP_Master , please see the very first post in this threat describing the event that I am seeing.
Of course the internal DNS forwarded itself is not exempt from overall inspection, but how does this figures into the AV triggering DNS Trap?
while gmail.net-login.com is definitely a spoofing URL, it does resolve to a number of IPs when tested from outside of Check Point protected environment.
What then decides that the returned address supposed to be replaced by the DNS Trap?
How that action could be exempt, if neither IPs nor application or URL exceptions are working?
@TP_Master , in this environment there is a common protection scope for the entire organization (i.e single default TP rule with scope "Any".
So the exception should, theoretically, work for both, the clients as well as internal DNS forwarders.
It is actually funny: KnowBe4 emailed me response with the URLs to the txt files listing their phishing domains.
Along the way it was bagged by:
1. Office 365
2. Check Point gateway
3. Kaspersky AV on the endpoint
The only solution that did not pay any heed to this message was Check Point CloudGuard SaaS for Office 365.
Makes me wander if it is a good sign or the bad one...
I am yet to see the darned lists.
Having the same issue and CG SAAS is bagging our messages as well. We have overcome the SAAS issues but the gateway doesn't seem to like any exception we put in KB4 support is little no help
@TP_Master , in client's environment it is, but as you've rightly noticed, in my lab it is different.
Regardless, the problem is that the destination IPs of the spoofed domains are dynamic.
So trying to exempt them in the TP policy using scope, source and/or destination will not work.
I have to figure out how to bypass the TP based on domain names and FQDNs which TP Policy does not support and categorization exception does not work.
Have you try to disable dns trap on tp profile?
@Marco_Valenti , I think KnowBe4 got this site whitelisted with the Threat Cloud, because it does not cause same issues anymore in my clients case.
Their other landing page was being blocked by Quad9 secure DNS service and I have notified KB4 about all of these issues.
Got the response that they are working with the threat intelligence vendors to get their domains cleared.
I'm having this same issue only with a vendor named InfoSec IQ, used to be Security IQ. Anyway, I tried basically everything you tried. I am now asking the vendor to whitelist their domains with the Threat Cloud.
We use KB4 too and this is exactly the issue I'm running into. I right clicked the Prevent log card and "added exception" and then removed the source so it is ANY, but the URL is still blocked. Based on your solution I opened a case up with KB4. I tried to get the category changed, but CP still marked it as phishing. Waiting to see if that would help or I might open a CP case up to see how I can add an exception there since our spam filter also did mark it as phishing.
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 1 | |
| 1 | |
| 1 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY